On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote: > > [...] > > Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? > > Additionally the internal Windows Kerberos handling only allows > > delegation to host which have the ok-to-delegate flag set in the > > Kerberos service ticket. > > > > Please check with 'ipa host-show hostname' if 'Trusted for delegation: > > True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'. > > Setting the flag solved the problem. Thanks a lot. > > Can this flag be set by default for new hosts?
As fas as I know IPA does not offer such option. Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid. bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
